Network function virtualization (NFV) is a standard organization established with an objective of “conventional network virtualization,” and formulates a set of standards of network deployment in a virtualization environment. By means of the standards formulated by the NFV organization, capabilities such as network virtualization and flexible deployment can be implemented.
As a virtualized network function (VNF) ( ) is introduced to an NFV technology, a conventional communication technology network architecture and a network node architecture have a relatively great change. In a new telecommunications architecture, a conventional physical telecommunications node evolves to a virtual node in a virtual device, and exists in a form of a virtual machine. In this way, multiple conventional physical nodes are jointly deployed in a same physical host machine, to share hardware resources, and even share resources with other third-party application software, thereby increasing performance of communication between different virtual machines in a same virtual device.
For example, a conventional Internetworking Protocol (IP) network evolves to a virtual network by means of a virtual switch and a virtual network adapter, and communication is performed between different virtual machines by means of the virtual network such that a conventional physical network device is bypassed.
The virtual network is the same as a conventional network, and both communication performed between virtual machines inside the virtual network and communication performed between a virtual machine and an external network face a network security risk. For example, the virtual machines attack each other, or a host machine application performs an attack using an interconnection to a virtual machine network. Therefore, a secure connection is established between the virtual machines on the virtual network using a security technology (for example, an IP security (IPSec) technology or a transport layer security protocol (TLS) technology). In the foregoing security technology, two virtual machines that communicate with each other need to be configured with a certificate that is based on X.509, to implement mutual authentication by a communication peer end.
In a virtualized scenario, a VNF is a group of software, and is instantiated when needed. The instantiation of the VNF refers to a process of determining required virtualization resources and allocating the required virtualization resources to one piece of VNF software and installing the VNF software. The instantiated VNF is not a conventional hardware entity, and does not always exist, but is generated in a software form according to a need and exists dynamically, and a physical location at which the instantiated VNF is installed is not fixed. Therefore, a conventional entity certificate configuration method is not applicable to the virtual software, for example, the VNF.
To configure a certificate for a VNF according to a feature of the VNF, a certificate configuration manner is provided currently, that is, in a VNF instantiation process, an operator configures an initial certificate for an instantiated VNF, and installs the initial certificate on the instantiated VNF. The instantiated VNF uses the initial certificate to acquire a certificate from a certification authority (CA).
In an actual application, a virtualized network function component (VNFC) is used as a component of a VNF, and a manner for the VNFC to acquire a certificate issued by the CA is the same as a manner for the VNF to acquire a certificate. That is, when the VNF is instantiated, an initial certificate is configured for each VNFC, and the initial certificate is installed successfully after the VNFC is instantiated. Then the VNFC instance uses the initial certificate to apply for a formal certificate from the CA. After the initial certificate is introduced, a process for the VNF to acquire the certificate is relatively complex, and a private key associated with the initial certificate faces a leakage risk in a transfer process, which reduces security for the VNF to acquire the certificate.
However, in an NFV scenario, the VNF may have multiple embodiments. In a use process, to improve network performance, a new VNFC may need to be added. If the newly added VNFC needs to communicate with the outside, the newly added VNFC needs to acquire a certificate, but if the foregoing manner of using an initial certificate to acquire a formal certificate is still used, a process is cumbersome and becomes more complex, and moreover, a system reacts less quickly and runs less efficiently.